The WS-A SOAP Binding [1] does not lay out any specific requirements for the presence of Message Addressing Properties (MAPs) in the SOAP header. The WS-A WSDL Binding [2] does define required MAPs for certain WSDL MEPs [3]. The WSDL Binding requires a WS-A message ID property for a request-response MEP. A CXF client always sends a message ID when WS-A is in use, but I am working on negative security test-cases and found that the MAPAggregator isn't enforcing the presence of the message ID property on the server side. MAPAggregator currently looks at the message ID if alowDuplicates is turned off, but only looks if the value is non-null. The interceptors have access to the MEP and could enforce the presence of the property when in a request-reply MEP. Where I am a little foggy on creating a patch for this issue is in the fact that one can do SOAP messaging without a WSDL. Does it make sense to always enforce the WS-A WSDL Binding property requirements? Outside of the JAX-WS front-end, would this enforcement always make sense? Are there other impediments to enforcing this behavior such as TCKs, etc.?
Additionally, if the ID is missing, the fault for a request-response MEP should still carry a relationship MAP per the WS-A WSDL Binding requirements. It follows that "http://www.w3.org/2005/08/addressing/unspecified"; would be used as the message identifier IRI in this case [4]. [1] http://www.w3.org/TR/ws-addr-soap/ [2] http://www.w3.org/TR/ws-addr-wsdl/ [3] http://www.w3.org/TR/ws-addr-wsdl/#WSDLMEPS [4] http://www.w3.org/TR/ws-addr-core/#msgaddrprops David Valeri --------------------------- <http://davidvaleri.wordpress.com/> http://davidvaleri.wordpress.com/ <http://twitter.com/DavidValeri> http://twitter.com/DavidValeri
